Transcript Slide 1

NDSU IT Security
• Theresa Semmens
Chief Information Technology
Security Officer
• Jeff Gimbel
Senior Security Analyst
NDSU Physical Infrastructure
• Open Network
– External facing network
• 79 subnets
• Open to Internet
– Internal facing network
• 79 subnets
• Open to the University System and some statewide entities
– Firewalled network
• Used by some departments for regulatory compliance
– Server room network
• Used for server to server communication (i.e., backup)
NDSU IT Infrastructure
Supported Departments
Distributed IT
Independent Departments
A Little History
– 2004, ND Information Technology Department
• SNMP Scan – Found a majority of
printers on the University System
network that had SNMP set to public
– 2008, Foundstone
• 175 insecure devices recognized
as printers
How did the printer problem
really come to light?
• Nessus scan
– Removed the safe scan
• See how much paper would be wasted
– LaserJet M 602
• 3 sheets
– Nessus findings
•
•
•
•
FTP open
Telnet open
Web page default username and password
SNMP community name set to public
How did the printer problem
really come to light? (continued)
• Brought to the attention of IT leadership
– Nessus set to “scan the entire network”
– Work out alternative solution
Is this really a problem?
• 2008 - NDSU dropped support for printers
as cost-savings initiative
• Currently, departments request DNS name
for purchased printers
– Name is granted within our naming scheme
– Name is added to an install script
• Printer plugged into the network
Is this really a problem?
Is this really a problem?
Is this really a problem?
Methodology
1. Tools – What are we going to use?
2. Locating devices – How widespread is the problem?
3. Policies and procedures – Shouldn’t we have covered
this somewhere?
4. Identification and notification – How do we let
stakeholders know their printers are not secure?
5. Reactions – How could we have been so wrong about
how stakeholders would react?
6. Interesting problems – It did WHAT?
7. First follow-up scan – Is it working?
Tools Used
•
•
•
•
•
Angry IP scanner (GPLv2)
Putty (GNU GPL)
WinSCP (GNU GPL)
Microsoft Excel (campus agreement)
Student Employee
Locating Devices
• Finding what is on the network
• Angry IP Scanner
– http://angryip.org/w/Home
Locating Devices (continued)
Findings
• External network – Outward facing
– 3,526 active hosts (June 7)
– 67 recognizable printers
• Internal network – Not routable to the
Internet
– 1885 active hosts (June 6)
– 509 recognizable printers
How bad is it?
• Human solution for finding the
vulnerabilities in the printers
– Didn’t want to be responsible for:
• Crashing printers
• Reams of wasted paper
• Default usernames and passwords
Methodology
• What did the student employee do?
– Opened a browser to IP and hostname
• Tried to log in using defaults
– Used Putty to Telnet into IP or hostname
• Port 23
– Tried anonymous FTP connection with
WinSCP
• Port 21
• Anonymous login selected
Findings (continued)
• External network – 67 printers
– 20 with anonymous FTP logins (30%)
– 20 default user/admin accounts (30%)
– 9 Telnet logins (13%)
Findings (continued)
• Internal network – 509 printers
– 177 with anonymous FTP logins (35%)
– 219 default user/admin accounts (43%)
– 156 Telnet logins (31%)
Policies and Procedures
• Reviewed existing policies and procedures
– Did we have any?
– Why were they not being followed?
– Should we create new ones?
– How do we enforce new
policies and procedures?
Review of Policies, Procedures
• Vague policies
– N.D. University System 1901.2
– NDSU 158
• No documented procedures
– No procedures meant few people knew what
should have been done
• Started new procedures right away
– Isn’t getting client buy-in the most difficult task
anyway?
Vendors
• Mind tricks, (policies
or procedures) do not
work on them, only money
• Need to make sure
departments consult with
central IT unit before making
purchases of devices that will be placed
on the network
Identification and Notification
• DNS names include department name, for
the most part
• For others, impossible to know to which
department they belonged
Methodology
• Sent emails to identified groups
–
–
–
–
IP address
DNS name
Vulnerabilities found
Directions for cleanup
• Worked with communications coordinator
and IT Help Desk
Methodology
Sent out the emails and we waited
Reactions
• Panicked when
• Calm and collected
contacted by security
• Were able to
office
configure devices with
• Needed help with
no problems
securing process
• Glad to help
• Grateful for help
It did WHAT?!?!
Interesting Problems
• Printers no longer printing
– Disabled port 9100
– Disabled SNMP
– Client needed reconfiguration
1. Stop the print
spooler
2. Delete all jobs in
C:\Windows\syste
m32\spool
3.
4.
5.
6.
7.
Restart spooler
Delete all IP ports
Delete all printers
Restart computer
Setup printers
Problems (continued)
• Older printers did not have a Web-based
configuration
– Older Java
• Did not have any of the sections needed to configure
– Configuration through Telnet
•
•
•
•
set-password – Changes default password
ftp-config:0 – Disables FTP
set-cmnty-name: <newname> - Changes default SNMP
Idle-timeout: 5 – Sets short timeout for Telnet
Follow-Up Scan
• External network
– Initially 67 printers
• 20 with anonymous FTP logins (30%)
• 20 default user/admin accounts (30%)
• Telnet logins (13%)
– First follow-up scan found 67 Printers
• 16 with anonymous FTP logins (24%)
• 17 default user/admin accounts (25%)
• 7 Telnet logins (10%)
Follow-Up Scan
• Internal network
– Initially 509 printers
• 177 with anonymous FTP logins (35%)
• 219 default user/admin accounts (43%)
• 156 Telnet logins (31%)
– First follow-up scan found 509 Printers
• 129 with anonymous FTP logins (25%)
• 182 default user/admin accounts (36%)
• 118 Telnet logins (23%)
What’s Next?
Questions?